| View Question |
|
|
 | ||
|
| Subject:
Source/Policy based routing - using IPTABLES on Linux 2.4
Category: Computers > Operating Systems Asked by: jonnyboy_uk-ga List Price: $100.00 |
Posted:
09 Nov 2003 07:56 PST
Expires: 09 Dec 2003 07:56 PST Question ID: 274082 |
Hi, I have 4 Smoothwall boxes (Linux 2.4, IPTABLES, 2 NIC's) and I need the first box to re-route traffic to the other Smoothwall boxes depending on the source IP address (basically so it just becomes another hop in route). I have spent hours trying to get it to work using examples and HOWTO's but have had no luck what so ever. I have already spent over a week trying to get our L3 routing switches to do this but HP tell me it is impossible, this leaves me with Smoothwall and IPTABLES. They are all Corporate Server 3 boxes (but they are very similar to GPL v2.0) and I have also tried asking Smoothwall directly but the response was that it "might" affect the effectiveness of Smoothwall. Here is a diagram of the setup... http://www.niceandsafe.f2s.com/smooth/srcroute.gif I have tried the following lines in my rc.firewall.up file without success /sbin/iptables -t nat -A POSTROUTING -o eth0 -s 10.1.2.0/24 -j SNAT --to 10.1.1.11 OR /sbin/iptables -t filter -I FORWARD -i eth0 -o eth0 -s 10.1.2.0/24 -j ACCEPT -d 10.1.1.11 I know I don't have to specify the table 'filter', this is just for the example, and I also know that something is probably very wrong here but I have never used source based routing before, or IPTABLES for that matter. And yes, eth0 is definitely my Green interface. thanks in advance |
| ||
|
| There is no answer at this time. |
| ||
|
| Subject:
Re: Source/Policy based routing - using IPTABLES on Linux 2.4
From: gcbirzan-ga on 18 Nov 2003 23:10 PST |
First of all, this isn't easily done with netfilter, but it can be done using the ROUTE target: http://www.netfilter.org/documentation/pomlist/pom-extra.html#ROUTE You'd need to do something like: iptables -A POSTROUTING -t mangle -s 10.1.2.0/24-j ROUTE --gw 10.1.1.11 iptables -A POSTROUTING -t mangle -s 10.1.3.0/24-j ROUTE --gw 10.1.1.12 It can be done with no kernel modification, by using iproute2's policy routing. First, you need to create two (Or three, you only mentioned two VLANs in your diagram, but there were three listed.) tables: echo 200 VLAN2 >> /etc/iproute2/rt_tables echo 201 VLAN3 >> /etc/iproute2/rt_tables For VLAN2 (VLAN3 will be similar): ip route add 10.1.1.0/24 dev eth0 table VLAN2 ip route add default via 10.1.1.11 table VLAN2 ip rule add from 10.1.2.0/24 table VLAN2 In English, that sets up an alternate routing table for all packets coming from 10.1.2.0/24, with a route for 10.1.1.0/24 through eth0 and a default route through 10.1.1.11. If for whatever reason you want packets coming back from the Internet to go through 10.1.1.10, you need to, on Smoothie2, add the following route (This applies to the netfilter method, too): ip ro add 10.1.2.0/24 via 10.1.1.11 For more details about this, check out http://lartc.org/howto/lartc.rpdb.html#LARTC.RPDB.SIMPLE I strongly recommend the second method though, not only because it's the only one I've tried, but because it keeps routing decisions where they should be, not in the packet filter. HTH |
| Subject:
Re: Source/Policy based routing - using IPTABLES on Linux 2.4
From: gcbirzan-ga on 18 Nov 2003 23:11 PST |
ip ro add 10.1.2.0/24 via 10.1.1.11 should, obviously, read: ip ro add 10.1.2.0/24 via 10.1.1.10 |
If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you. |
| Search Google Answers for |
| Google Home - Answers FAQ - Terms of Service - Privacy Policy |
